Chapter 19 ON-LINE INTRUSION PROTECTION BY DETECTING ATTACKS WITH DIVERSITY J. Reynolds, J. Just, E. Lawson, L. Clough and R. Maglich Abstract We have built a system for protecting web servers to securely connected, known users that includes an innovative use of diversity for on-line attack identification. We are able to use attack identification to immediately protect the system without debilitating waits for anti-virus updates or software patches by positively verify- ing attacks with a sandbox. Unique to our approach is the use of diverse process pairs not only for isolation benefits but also for detection. The architecture uses the comparison of outputs from diverse applications to provide a significant and novel intrusion detection capability. With this technique, we gain the benefits of n-version programming without its controversial disadvantages. Diversity of applications also contributes to the isolation of intrusions by software, which is further improved by random rejuvenation. Keywords: Computer security, fault tolerance, intrusion detection, diversity 1. Introduction A potential solution to the problem of building more secure but still af- fordable and timely systems is to combine Commercial-Off-The-Shelf (COTS) hardware and software with proven techniques from the fault tolerant com- munity. COTS software and hardware can provide cheap (though unreliable) components to build information systems. Fault tolerant techniques can build reliable systems from unreliable components despite intermittent or transient faults. In fact, highly available systems have been built with this approach [4]. There have been many other explorations of fault-tolerant approaches to providing reliable systems based on COTS hardware and software [1,9,12,15]. Most fault tolerant techniques work against faults that can be treated as rare events occurring at random. The faults that pertain specifically to computer and network security have different characteristics. These "faults" depend on what are usually called vulnerabilities. Vulnerabilities are most often design The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: © IFIP International Federation for Information Processing 2003 E. Gudes et al. (eds.), Research Directions in Data and Applications Security 10.1007/978-0-387-35697-6_26